Description
This article explains how the output of the 'Diag sniff packet' command can be imported into Wireshark (Formally known as Ethereal).
Solution
When using Perl script:
- If a Perl interpreter is not already installed, search on the Internet for a free 'activeperl', for example, ActivePerl-5.8.8.819-MSWin32-x86-267479.zip.
- Download the 'fgt2eth.pl.zip' file below, and extract script 'fgt2eth.pl' to the Perl folder after installation.
- Open a command prompt window and execute:
cd\Perl ( <-folder name of Perl after install)
perl fgt2eth.pl -in <file captured>.txt -out <output name>.cap
When using Perl executable program (Windows):
- It is not necessary to have a Perl interpreter installed. Download the 'fgt2eth.exe.12.2014.zip' file below, attached below, and extract executable 'fgt2eth.exe' to the desired folder.
- Open a command prompt window and execute:
cd\MyExeFolder ( <-folder name of Perl after install)
fgt2eth.exe -in <file captured>.txt -out <output name>.cap
When using Perl script (macOS):
If you are running macOS, it is possible to use Home Brew (
https://brew.sh/) which is an emulator. Once Home Brew is installed, it will be necessary to run the following command:
brew install wireshark
This will install the equivalent to the above-mentioned text2pcap.exe but in Linux/macOS environment.
To make the fgt2eth.pl executable, it will be necessary to change the mode of the file by issuing the following command:
chmod +x fgt2eth.pl
It is possible to move this file to a location in the path environment. This will allow running the script from any directory without having to move into the directory. It is possible to do this with the mv or cp commands. In this example, if it is desired to move the fgt2eth.pl to /opt/homebrew/bin, the fgt2eth.pl is sitting on the Desktop, type this command:
mv | cp ~/Desktop/fgt2eth.pl /opt/homebrew/bin
Note: the ~/ is a shortcut to /Username/%username%. Also mv = move and cp = copy.
Result:
Once this has been completed the <output name>.cap file can be opened in WireShark or any traffic analyzer decoding this format.
For this script/executable to function properly, it must be able to run a file named text2pcap.exe that is installed as part of a Wireshark installation package. An error will be shown if this file cannot be found.
Ensure the path variable is set correctly to include the WireShark installation directory (by default c:\Program Files\Wireshark), or, move this script/executable directly to the WireShark directory.
The tool can use piped flow to Wireshark.
Usage:
Version : Dec 19 2014
Usage : fgt2eth.pl -in <input_file_name>
Mandatory arguments are:
-in <input_file> Specify the file to convert (FGT verbose 3 text file)
Optional arguments are:
-help Display help only
-version Display script version and date
-out <output_file> Specify the output file (Ethereal readable)
By default <input_file>.pcap is used.
-will start wireshark for realtime follow-up
-lines <lines> Only convert the first <lines> lines
-demux Create one pcap file per interface (verbose 6 only)
-debug Turns on debug mode
When using macOS from a location in the path, it is recommended to use the -in %source-file% and -out %output-file%.
Related articles:
